A new ransomware dubbed “Petya” started spreading across Europe on Tuesday, affecting businesses and governments that weren’t sufficiently protected.

But its reach has not been restricted to just Europe, as India has suffered at the hands of Petya ransomware. This is the second public ransomware attack in as many months, following up on the WannaCry ransomware that affected 230,000 in over 150 countries.

Hasherzade who is a researcher well known for her great work with the original Petya ransomware, among other things, tweeted a bindiff showing the current strain has very high similarity to the original.

Who has been affected by Petya ransomware?

According to multiple reports, Petya ransomware was first delivered via an update for a Ukrainian accounting software called MeDoc, using a false digital signature.

While the company has denied the allegations, researchers at Kaspersky and Talos Intelligence, as well as the Ukrainian cyberpolice, have confirmed the findings.

Petya spread across Ukraine like wildfire, hitting both government services and foreign companies. It affected the country’s national bank, the state power company, and the largest airport: Kiev’s Borispol Airport.

It has even affected the Chernobyl nuclear power plant, according to The Independent, which has been forced to fall back on older technologies for radiation monitoring.

Due to Petya ransomware, the India operations of German personal care company Beiersdorf AG, and British consumer goods company Reckitt Benckiser have been hit, as per reports.

The ransomware has also halted work at one of the terminals at India’s largest container port, Jawaharlal Nehru Port (JNPT) off the east coast of Mumbai.

The reason for that is because Maersk’s offices in the Netherlands were infected by Petya, which handles containers at Gateway Terminals India (GTI) at JNPT.

How is Petya different from WannaCry?

Petya relies on the same NSA-leaked EternalBlue exploit that was used by WannaCry, but that’s only one of its strategies to burrow itself across computers on a network.

Microsoft issued a patch for affected Windows versions, but businesses take time to install updates in fear of breaking compatibility with existing software.

That’s exactly why the people behind Petya are targeting organisations in the first place, since they are much more vulnerable than an individual user.

Petya needs only a single fault in a network, so as long as one machine on a company’s network hasn’t applied the Microsoft patch, it can then infect every other computer on that network too.

The important difference between WannaCry and Petya is WannaCry was likely deployed onto a small number of computers and then spread rapidly, whereas Petya seem to have been deployed onto a large number of computers and spread via local network.

Therefore, in this instance there is low risk of new infections more than 1h after the attack (the malware shuts down the computer to encrypt it 1h after execution, by which time it will already have completed its local network scan).

Thankfully, Petya is designed to spread inside one company rather than across the globe, says MalwareTech, which means it only scans on the same local network rather than the Internet.

Since networks are limited in size, Petya should stop spreading much sooner than WannaCry, which still continues to spread.

Costin Raiu, CRO of Kaspersky Labs, is now suggesting there was a second initial infection vector where the website for the Ukrainian City of Bahmut (Бахмут) was hacked and used to serve the malware.

Avoid visiting link in below tweet as it may still be infected.

In addition to known vectors, ExPetr/PetrWrap/Petya was also distributed through a waterhole attack on https://t.co/j9DvYcEgW7

How does Petya ransomware work?

The use of EternalBlue, Petya can propagate over the network using WMIC (Windows Management Instrumentation Commandline) by trying credentials gathered from the local machine using Mimikatz (source). this allows it to infect network systems which are patched against EternalBlue or not running SMB.

“These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.”

Once it infects a computer, Petya waits for 10-60 minutes, and then reboots the computer with a scheduled task. Upon reboot, it encrypts the Master File Table – the so-called hard drive’s index.

and then overwrites the Master Boot Record (which contains instructions for where the system OS is located) with a custom loader.

It also places a ransom note, to explain what users must do to regain control of their computers.

Post that, the ransomware obtains a list of computers on the same network, and then checks whether two TCP ports – 139 and 445 – are open. If they are, Petya then proceeds to infect them with one of the above methods.

what are their demands?

As for their demands, the ransom note that’s displayed after the Petya infection asks for the equivalent of $300 (roughly Rs. 19,300) in Bitcoin to a unified Bitcoin address.

After that, you must send a confirmation of the payment to an email address upon which the attackers will send you a decryption key.

While some people made payments on Tuesday night, ransom payments aren’t advised any more as the email address being used for confirmation has been shut down by the email provider.

That means even if you’re okay paying $300 for your data, it’s impossible for the attackers to send you a decryption key.